Hackers Demand Google Fire Two Threat Intel Experts or Face Data Leak

The Ultimatum: Criminals vs. Investigators

"Scattered LapSus Hunters" issue ultimatum amid rising phishing attacks from Salesforce breach fallout

A hacker alliance calling itself "Scattered LapSus Hunters" has issued an extraordinary ultimatum to Google: terminate two key threat intelligence experts or face a data leak. The demand represents an unprecedented escalation in the ongoing cat-and-mouse game between cybercriminals and corporate security teams.

The Threat

The hacker alliance has demanded Google terminate Austin Larsen and Charles Carmakal, both affiliated with Google's Threat Intelligence Group. Additionally, they want all investigations into their network halted.

This isn't just about personnel—it's about dismantling the very infrastructure that tracks and counters their criminal activities.

Who Are the "Scattered LapSus Hunters"?

The group appears to fuse three notorious cybercrime factions, each with a history of high-profile cyberattacks:

• Scattered Spider

Known for sophisticated social engineering attacks targeting major corporations and cloud infrastructure providers.

• LapSus$

The infamous group behind breaches of Microsoft, Nvidia, Samsung, and other tech giants, known for their brazen tactics and young membership.

• ShinyHunters

Prolific data brokers responsible for breaches affecting millions of users across multiple platforms and services.

This fusion represents a concerning evolution in cybercrime organization—combining the technical sophistication of Scattered Spider, the audacity of LapSus$, and the data monetization expertise of ShinyHunters.

Evidence and Escalation

Critical Assessment: To date, the hackers haven't substantiated claims of holding Google's data. No breach of Google's internal infrastructure has been verified.

This raises important questions about whether this is a legitimate threat or an attempt to manipulate through fear and publicity. The lack of evidence doesn't diminish the seriousness of the situation, but it does suggest this may be more psychological warfare than demonstrated capability.

Background Trigger: Salesforce Breach Aftermath

The current escalation stems from recent events:

August 2025: A ShinyHunters-led breach of Salesforce exposed business contacts, sparking a wave of phishing and vishing targeting Gmail users.

Google's Response: The company issued a global security alert urging password changes across affected accounts.

Current Impact: Around 37% of account hijacking attempts on Google platforms are now connected to phishing attacks using that stolen Salesforce data.

This connection suggests the ultimatum may be retaliation for Google's aggressive response to the Salesforce breach fallout.

Community Analysis: Criminal Logic

Online security commentators have drawn pointed parallels to the situation. As one observer noted: "They're basically trying to disband the detectives investigating them."

This analogy captures the absurdity of the demand—criminals attempting to eliminate the very researchers tracking their activities. It's equivalent to bank robbers demanding police fire the detective investigating their case.

The researchers in question are literally investigating their hacking group. The demand reveals both desperation and a fundamental misunderstanding of how legitimate organizations respond to criminal threats.

Cybersecurity Implications

This incident highlights several critical trends in modern cybercrime:

1. Organizational Evolution

Criminal groups are forming alliances and federations, combining specialized skills and resources.

2. Direct Confrontation

Rather than operating in shadows, some groups are directly challenging corporate security infrastructure.

3. Psychological Warfare

Using ultimatums and threats to create pressure and media attention, even without demonstrated capabilities.

4. Breach Ecosystem Effects

How one major breach (Salesforce) creates cascading security challenges across the entire digital ecosystem.

What's Next: The Crossroads

The situation remains volatile. Google has not publicly responded to the ultimatum, and the tech world watches closely for developments.

If Google Folds:

Capitulating to criminal demands would set a dangerous precedent, essentially signaling that threatening researchers is an effective tactic. It would be open season on threat intelligence professionals across the industry.

If Google Stands Firm:

The question becomes what these criminals will do to satisfy their "juvenile virginal need for vengeance from Mom's basement"—as one commentator colorfully described their apparent motivation.

The Broader Security Landscape

This incident occurs against a backdrop of increasingly sophisticated and brazen cybercrime. The formation of criminal alliances, the targeting of security researchers, and the weaponization of previous breaches all point to an evolving threat landscape that requires equally sophisticated defenses.

Analysis: Desperation or Strategy?

The ultimatum may reveal more about the criminals' situation than their capabilities:

• Pressure from investigations may be making their operations difficult
• Media attention might be their primary goal rather than actual data theft
• Lack of evidence suggests limited actual access to Google infrastructure
• Public demands indicate a departure from typical criminal operational security

Conclusion: Standing Against Intimidation

The cybersecurity community's response to this ultimatum will set important precedents. Giving in to criminal demands targeting researchers would fundamentally undermine the security infrastructure that protects millions of users.

The investigators being threatened are doing exactly what they should be doing: investigating criminal activity and protecting users from harm.

When criminals demand that companies fire their own security researchers, the response reveals everything about both the state of cybercrime and the integrity of corporate security commitments. This is a test that extends far beyond Google.